diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libgpo/gpo_ldap.c | 866 |
1 files changed, 0 insertions, 866 deletions
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c deleted file mode 100644 index 716b8729c3..0000000000 --- a/source3/libgpo/gpo_ldap.c +++ /dev/null @@ -1,866 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005,2007 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include "includes.h" - -/**************************************************************** - parse the raw extension string into a GP_EXT structure -****************************************************************/ - -bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx, - const char *extension_raw, - struct GP_EXT **gp_ext) -{ - bool ret = false; - struct GP_EXT *ext = NULL; - char **ext_list = NULL; - char **ext_strings = NULL; - int i; - - if (!extension_raw) { - goto parse_error; - } - - DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw)); - - ext = TALLOC_ZERO_P(mem_ctx, struct GP_EXT); - if (!ext) { - goto parse_error; - } - - ext_list = str_list_make_v3(mem_ctx, extension_raw, "]"); - if (!ext_list) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - /* no op */ - } - - ext->num_exts = i; - - if (ext->num_exts) { - ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, - ext->num_exts); - ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, - ext->num_exts); - ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, - ext->num_exts); - ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, - ext->num_exts); - } - - ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); - - if (!ext->extensions || !ext->extensions_guid || - !ext->snapins || !ext->snapins_guid || - !ext->gp_extension) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - - int k; - char *p, *q; - - DEBUGADD(10,("extension #%d\n", i)); - - p = ext_list[i]; - - if (p[0] == '[') { - p++; - } - - ext_strings = str_list_make_v3(mem_ctx, p, "}"); - if (ext_strings == NULL) { - goto parse_error; - } - - for (k = 0; ext_strings[k] != NULL; k++) { - /* no op */ - } - - q = ext_strings[0]; - - if (q[0] == '{') { - q++; - } - - ext->extensions[i] = talloc_strdup(mem_ctx, - cse_gpo_guid_string_to_name(q)); - ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); - - /* we might have no name for the guid */ - if (ext->extensions_guid[i] == NULL) { - goto parse_error; - } - - for (k = 1; ext_strings[k] != NULL; k++) { - - char *m = ext_strings[k]; - - if (m[0] == '{') { - m++; - } - - /* FIXME: theoretically there could be more than one - * snapin per extension */ - ext->snapins[i] = talloc_strdup(mem_ctx, - cse_snapin_gpo_guid_string_to_name(m)); - ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); - - /* we might have no name for the guid */ - if (ext->snapins_guid[i] == NULL) { - goto parse_error; - } - } - } - - *gp_ext = ext; - - ret = true; - - parse_error: - TALLOC_FREE(ext_list); - TALLOC_FREE(ext_strings); - - return ret; -} - -#ifdef HAVE_LDAP - -/**************************************************************** - parse the raw link string into a GP_LINK structure -****************************************************************/ - -static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, - const char *gp_link_raw, - uint32_t options, - struct GP_LINK *gp_link) -{ - ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - char **link_list; - int i; - - ZERO_STRUCTP(gp_link); - - DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw)); - - link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]"); - if (!link_list) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - /* no op */ - } - - gp_link->gp_opts = options; - gp_link->num_links = i; - - if (gp_link->num_links) { - gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, - gp_link->num_links); - gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t, - gp_link->num_links); - } - - gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); - - if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - - char *p, *q; - - DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i)); - - q = link_list[i]; - if (q[0] == '[') { - q++; - }; - - p = strchr(q, ';'); - - if (p == NULL) { - goto parse_error; - } - - gp_link->link_names[i] = talloc_strdup(mem_ctx, q); - if (gp_link->link_names[i] == NULL) { - goto parse_error; - } - gp_link->link_names[i][PTR_DIFF(p, q)] = 0; - - gp_link->link_opts[i] = atoi(p + 1); - - DEBUGADD(10,("gpo_parse_gplink: link: %s\n", - gp_link->link_names[i])); - DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", - gp_link->link_opts[i])); - - } - - status = ADS_SUCCESS; - - parse_error: - TALLOC_FREE(link_list); - - return status; -} - -/**************************************************************** - helper call to get a GP_LINK structure from a linkdn -****************************************************************/ - -ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - struct GP_LINK *gp_link_struct) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", "gPOptions", NULL}; - LDAPMessage *res = NULL; - const char *gp_link; - uint32_t gp_options; - - ZERO_STRUCTP(gp_link_struct); - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo_link: search failed with %s\n", - ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - /* perfectly legal to have no options */ - if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { - DEBUG(10,("ads_get_gpo_link: " - "no 'gPOptions' attribute found\n")); - gp_options = 0; - } - - ads_msgfree(ads, res); - - return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); -} - -/**************************************************************** - helper call to add a gp link -****************************************************************/ - -ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn, - uint32_t gpo_opt) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new; - ADS_MODLIST mods; - - /* although ADS allows to set anything here, we better check here if - * the gpo_dn is sane */ - - if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_add_gpo_link: search failed with %s\n", - ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_add_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", - gpo_dn, gpo_opt); - } else { - gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", - gp_link, gpo_dn, gpo_opt); - } - - ads_msgfree(ads, res); - ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); - - mods = ads_init_mods(mem_ctx); - ADS_ERROR_HAVE_NO_MEMORY(mods); - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - -/**************************************************************** - helper call to delete add a gp link -****************************************************************/ - -/* untested & broken */ -ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new = NULL; - ADS_MODLIST mods; - - /* check for a sane gpo_dn */ - if (gpo_dn[0] != '[') { - DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - if (gpo_dn[strlen(gpo_dn)] != ']') { - DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", - ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_delete_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - /* find link to delete */ - /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, - gpo_dn, gpo_opt); */ - - ads_msgfree(ads, res); - ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); - - mods = ads_init_mods(mem_ctx); - ADS_ERROR_HAVE_NO_MEMORY(mods); - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - -/**************************************************************** - parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result -****************************************************************/ - - ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - LDAPMessage *res, - const char *gpo_dn, - struct GROUP_POLICY_OBJECT *gpo) -{ - ZERO_STRUCTP(gpo); - - ADS_ERROR_HAVE_NO_MEMORY(res); - - if (gpo_dn) { - gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn); - } else { - gpo->ds_path = ads_get_dn(ads, mem_ctx, res); - } - - ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path); - - if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, - "gPCFileSysPath"); - ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path); - - gpo->display_name = ads_pull_string(ads, mem_ctx, res, - "displayName"); - ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); - - gpo->name = ads_pull_string(ads, mem_ctx, res, - "name"); - ADS_ERROR_HAVE_NO_MEMORY(gpo->name); - - gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, - "gPCMachineExtensionNames"); - gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, - "gPCUserExtensionNames"); - - ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", - &gpo->security_descriptor); - ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor); - - return ADS_ERROR(LDAP_SUCCESS); -} - -/**************************************************************** - get a GROUP_POLICY_OBJECT structure based on different input parameters -****************************************************************/ - -ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *gpo_dn, - const char *display_name, - const char *guid_name, - struct GROUP_POLICY_OBJECT *gpo) -{ - ADS_STATUS status; - LDAPMessage *res = NULL; - char *dn; - const char *filter; - const char *attrs[] = { - "cn", - "displayName", - "flags", - "gPCFileSysPath", - "gPCFunctionalityVersion", - "gPCMachineExtensionNames", - "gPCUserExtensionNames", - "gPCWQLFilter", - "name", - "ntSecurityDescriptor", - "versionNumber", - NULL}; - uint32_t sd_flags = DACL_SECURITY_INFORMATION; - - ZERO_STRUCTP(gpo); - - if (!gpo_dn && !display_name && !guid_name) { - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - if (gpo_dn) { - - if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { - gpo_dn = gpo_dn + strlen("LDAP://"); - } - - status = ads_search_retry_dn_sd_flags(ads, &res, - sd_flags, - gpo_dn, attrs); - - } else if (display_name || guid_name) { - - filter = talloc_asprintf(mem_ctx, - "(&(objectclass=groupPolicyContainer)(%s=%s))", - display_name ? "displayName" : "name", - display_name ? display_name : guid_name); - ADS_ERROR_HAVE_NO_MEMORY(filter); - - status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, filter, - attrs, sd_flags, &res); - } - - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo: search failed with %s\n", - ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - dn = ads_get_dn(ads, mem_ctx, res); - if (dn == NULL) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); - ads_msgfree(ads, res); - TALLOC_FREE(dn); - - return status; -} - -/**************************************************************** - add a gplink to the GROUP_POLICY_OBJECT linked list -****************************************************************/ - -static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT **gpo_list, - const char *link_dn, - struct GP_LINK *gp_link, - enum GPO_LINK_TYPE link_type, - bool only_add_forced_gpos, - const struct nt_user_token *token) -{ - ADS_STATUS status; - int i; - - for (i = 0; i < gp_link->num_links; i++) { - - struct GROUP_POLICY_OBJECT *new_gpo = NULL; - - if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { - DEBUG(10,("skipping disabled GPO\n")); - continue; - } - - if (only_add_forced_gpos) { - - if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { - DEBUG(10,("skipping nonenforced GPO link " - "because GPOPTIONS_BLOCK_INHERITANCE " - "has been set\n")); - continue; - } else { - DEBUG(10,("adding enforced GPO link although " - "the GPOPTIONS_BLOCK_INHERITANCE " - "has been set\n")); - } - } - - new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); - ADS_ERROR_HAVE_NO_MEMORY(new_gpo); - - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], - NULL, NULL, new_gpo); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("failed to get gpo: %s\n", - gp_link->link_names[i])); - return status; - } - - status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, - token)); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("skipping GPO \"%s\" as object " - "has no access to it\n", - new_gpo->display_name)); - TALLOC_FREE(new_gpo); - continue; - } - - new_gpo->link = link_dn; - new_gpo->link_type = link_type; - - DLIST_ADD(*gpo_list, new_gpo); - - DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s " - "to GPO list\n", i, gp_link->link_names[i])); - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -/**************************************************************** -****************************************************************/ - -ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *dn, - struct nt_user_token **token) -{ - ADS_STATUS status; - DOM_SID object_sid; - DOM_SID primary_group_sid; - DOM_SID *ad_token_sids; - size_t num_ad_token_sids = 0; - DOM_SID *token_sids; - size_t num_token_sids = 0; - struct nt_user_token *new_token = NULL; - int i; - - status = ads_get_tokensids(ads, mem_ctx, dn, - &object_sid, &primary_group_sid, - &ad_token_sids, &num_ad_token_sids); - if (!ADS_ERR_OK(status)) { - return status; - } - - token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1); - ADS_ERROR_HAVE_NO_MEMORY(token_sids); - - status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx, - &primary_group_sid, - &token_sids, - &num_token_sids)); - if (!ADS_ERR_OK(status)) { - return status; - } - - for (i = 0; i < num_ad_token_sids; i++) { - - if (sid_check_is_in_builtin(&ad_token_sids[i])) { - continue; - } - - status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx, - &ad_token_sids[i], - &token_sids, - &num_token_sids)); - if (!ADS_ERR_OK(status)) { - return status; - } - } - - new_token = create_local_nt_token(mem_ctx, &object_sid, false, - num_token_sids, token_sids); - ADS_ERROR_HAVE_NO_MEMORY(new_token); - - *token = new_token; - - debug_nt_user_token(DBGC_CLASS, 5, *token); - - return ADS_ERROR_LDAP(LDAP_SUCCESS); -} - -/**************************************************************** -****************************************************************/ - -static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT **gpo_list, - enum GPO_LINK_TYPE link_type) -{ - struct GROUP_POLICY_OBJECT *gpo = NULL; - - ADS_ERROR_HAVE_NO_MEMORY(gpo_list); - - gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); - ADS_ERROR_HAVE_NO_MEMORY(gpo); - - gpo->name = talloc_strdup(mem_ctx, "Local Policy"); - ADS_ERROR_HAVE_NO_MEMORY(gpo->name); - - gpo->display_name = talloc_strdup(mem_ctx, "Local Policy"); - ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); - - gpo->link_type = link_type; - - DLIST_ADD(*gpo_list, gpo); - - return ADS_ERROR_NT(NT_STATUS_OK); -} - -/**************************************************************** - get the full list of GROUP_POLICY_OBJECTs for a given dn -****************************************************************/ - -ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *dn, - uint32_t flags, - const struct nt_user_token *token, - struct GROUP_POLICY_OBJECT **gpo_list) -{ - /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ - - ADS_STATUS status; - struct GP_LINK gp_link; - const char *parent_dn, *site_dn, *tmp_dn; - bool add_only_forced_gpos = false; - - ZERO_STRUCTP(gpo_list); - - if (!dn) { - return ADS_ERROR(LDAP_PARAM_ERROR); - } - - DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); - - /* (L)ocal */ - status = add_local_policy_to_gpo_list(mem_ctx, gpo_list, - GP_LINK_LOCAL); - if (!ADS_ERR_OK(status)) { - return status; - } - - /* (S)ite */ - - /* are site GPOs valid for users as well ??? */ - if (flags & GPO_LIST_FLAG_MACHINE) { - - status = ads_site_dn_for_machine(ads, mem_ctx, - ads->config.ldap_server_name, - &site_dn); - if (!ADS_ERR_OK(status)) { - return status; - } - - DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", - site_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, - site_dn, &gp_link, - GP_LINK_SITE, - add_only_forced_gpos, - token); - if (!ADS_ERR_OK(status)) { - return status; - } - - if (flags & GPO_LIST_FLAG_SITEONLY) { - return ADS_ERROR(LDAP_SUCCESS); - } - - /* inheritance can't be blocked at the site level */ - } - } - - tmp_dn = dn; - - while ((parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { - - /* (D)omain */ - - /* An account can just be a member of one domain */ - if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", - parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, - &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & - GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = true; - } - - status = add_gplink_to_gpo_list(ads, - mem_ctx, - gpo_list, - parent_dn, - &gp_link, - GP_LINK_DOMAIN, - add_only_forced_gpos, - token); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - } - - /* reset dn again */ - tmp_dn = dn; - - while ((parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { - - - /* (O)rganizational(U)nit */ - - /* An account can be a member of more OUs */ - if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", - parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, - &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & - GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = true; - } - - status = add_gplink_to_gpo_list(ads, - mem_ctx, - gpo_list, - parent_dn, - &gp_link, - GP_LINK_OU, - add_only_forced_gpos, - token); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - - }; - - return ADS_ERROR(LDAP_SUCCESS); -} - -#endif /* HAVE_LDAP */ |